Re: SQL injection, php and queueing multiple statement

From: Sam Mason <sam(at)samason(dot)me(dot)uk>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: SQL injection, php and queueing multiple statement
Date: 2008-04-12 23:13:49
Message-ID: 20080412231349.GF6870@frubble.xen.chris-lamb.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Sat, Apr 12, 2008 at 11:06:42PM +0200, Ivan Sergio Borgonovo wrote:
> But what about already written code that use pg_query?

If you rewrite the database interface then it doesn't matter, the calls
to pg_query will end up being calls to prepare/execute underneath so
you'll have their protection. If you mean that you're calling compiled
code that is already statically linked to a library that calls pg_query
then you may get some mileage out of modifying some proxying software
(which you'll probably be using anyway if you're doing any web based
stuff) to rewrite all the calls rather than doing it between PHP and the
driver. Anyway I'm not sure if this'll help you much, you have to put
trust in your code somewhere. It's just a question of where.

> Is it that terrible or nonsensical to hope to have a switch that will
> enable/disable multiple statements for each call to pg_query?

I agree that it will close some, probably small, attack vectors, but
that in general it's not going to help much. I can't help but think
that you're trying to solve what's formally known as the "Halting
Problem" (or originally the Entscheidungsproblem) which was shown to be
impossible in the 30s.

Even if you did close this hole, what's to stop the attacker from
exploiting another bug in your code and causing your code to misbehave
in some other way. About the only tool known by software engineering
that will solve this problem is that of formally methodology. You have
to sit down and spend a long time modelling your problem, then you
have to prove (formally, i.e. in some logic system) that your model is
correct, then you write the code based on the model, then you prove that
your code is true to the model. This is a *lot* of work and is only
done for very high assurance stuff at the moment, aeroplane control
software being one place it's used.

If you want an easier way of getting close to a good solution then you
want tools that will check that the code you've written is correct as
early as possible. I personally think, and there's a lot of research
saying the same thing, that statically-typed and safe languages with
formally defined semantics are good tools here. PHP is a tool for
writing code quickly, not for writing high assurance code.

Sam

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Craig Ringer 2008-04-13 02:03:48 Re: SQL injection, php and queueing multiple statement
Previous Message Clodoaldo 2008-04-12 21:41:17 Re: Syntax error when restoring database from dump